Securing Elasticsearch#

Elasticsearch allows encryption of communication with TLS with their X-pack module.

SSL certificate#

For this the certificate files can be put into /etc/elasticsearch/certs as:

• servername.key

• servername.crt

• ca.crt

They are then referenced in /etc/elasticsearch/elasticsearch.yml by adding the following lines:

xpack.ssl.key: certs/servername.key
xpack.ssl.certificate: certs/servername.crt
xpack.ssl.certificate_authorities: certs/ca.crt

xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.enabled: true


Full documentation is available in the Elasticsearch manual at Encrypting Communications.

Access to Elasticsearch is passed through Nginx as well. To use HTTPS, the configuration needs to be adjusted in /etc/nginx/conf.d/00-default.conf to access https://elastic instead of http://elastic. This can be achieved with the following command on the shell:

# sed -i'' -e '[email protected]://[email protected]://[email protected]' /etc/nginx/conf.d/00-default.conf
# nginx -t


To change the connection pattern in Elastisearch you must edit /etc/squirro/common.ini and change th following line:

es_index_servers = http://127.0.0.1:81/ext/elastic


To:

es_index_servers = https://127.0.0.1:81/ext/elastic


All the relevant service accessing Elasticsearch must be restarted after this configuration. It’s best to use squirro_restart utility to restart all services

A password can be defined to access Elasticsearch. For this the following line needs to be added to /etc/elasticsearch/elasticsearch.yml:

xpack.security.enabled: true


Then restart Elasticsearch

systemctl restart elasticsearch


The password can then be defined by calling the command:

/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive


After you set your password, you are required to add this parameter to Squirro. You must edit the /etc/squirro/common.ini file and add the following lines (under the [index] section):

es_auth_user = elastic # or the user you selected


NB: you can also generate a random password by calling:

/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto -b


Restart all the Squirro services

squirrro_restart


Important: on ES version < 7.7.1 you must first install x-pack and then the commands change as follow:

/usr/share/elasticsearch/bin/bin/x-pack/elasticsearch-setup-passwords auto -b


SSL can be enabled for MariaDB connections by setting the following configuration value in /etc/squirro/common.ini:

[db]
ssl=true
ssl_ca=<PATH_TO_SSL_CERTIFICATE>


The [db] section will already exist in the config file, thus the full section will then look something like this:

[db]